[krbdev.mit.edu #9037] Race condition in krb5_set_password()
Greg Hudson via RT
rt at kerborg-prod-app-1.mit.edu
Fri Nov 12 13:04:40 EST 2021
<URL: http://kerborg-prod-app-1.mit.edu/rt/Ticket/Display.html?id=9037 >
After some thought, I think a reasonable strategy is to try TCP only, and
after that completely fails, try UDP only. This will have terrible
performance if TCP/464 is blackholed, but it will at least work.
I can see two basic implementation directions: we could define a new
k5_transport_strategy and handle this within k5_sendto(), or we could make two
separate calls to k5_sendto(). The latter option still requires an adjustment
to the internal k5_locate/k5_sendto APIs since we can't currently ask for UDP
only.
This plan does not rule out potential TCP-only races involving multiple admin
servers, but I think we can defer worrying about that until it becomes a real
issue.
More information about the krb5-bugs
mailing list